Businesses have plenty of reasons to switch from self-owned / on-prem data centers to colocation data centers. Facility management is time-consuming and expensive, and it absorbs funding and energy better spent enhancing business and IT competencies. There’s also the complexity of power and airflow management to contend with, and saving energy to bring costs down is a painstaking chore that requires an immense amount of forethought.
Carrier connectivity is yet another burden better left to the colocation data center—a multi-tenant, carrier-neutral facility provides greater flexibility at lower costs than a single-customer data center.
For all of these reasons and more, many businesses find it advantageous to work with a colocation provider.
Data center security and compliance
Many organizations, particularly in finance and healthcare, are governed by stringent regulations and subject to penalties for violating them. That’s to say nothing of the operational and reputational risk of a data breach or other cyber incident. Insurance companies, banks, healthcare IT providers, hospitals and many other types of organizations store and process vast quantities of private data that hackers target for theft or for extortion purposes, a la ransomware and DDoS.
So, is this information safe when stored and processed in the colocation center? The short answer is yes, but let’s examine some of the reasons why.
A colocation data center provider is responsible for facility infrastructure. Deployment and management of the actual IT equipment is entirely in the tenant’s hands, as are the virtual safeguards implemented to protect those assets. These include real-time network monitoring, firewalls, application protection, endpoint security at the user level and more.
From a cybersecurity point of view, nothing changes about the virtual logistics of securing your network. It’s still your job to provide adequate cybersecurity for your own technology stack. To that end, it’s important to develop a multi-layer security perimeter, either internally, or by implementing different layers under the keeping of different organizations. Either way, note that the colocation provider is principally concerned with the physical safekeeping of the hardware.
In that same vein, tenants are responsible for logical security controls mandated by regulations such as HIPAA (for healthcare) and PCI (for any organization processing and storing payment card data). For instance, it’s their job to manage system access control, properly encrypt data, enforce enterprise security policies, use authentication, manage software updates, etc. In this sense, the tenant is still in control of the end user, which means the business can implement the types of controls that meet its specific needs.
That said, a best-in-class colocation provider can support data center security and compliance efforts in several key ways. Let’s look at some examples.
Since a colocation data center is principally focused on physical access and protection of equipment from environmental hazards, they must also provide:
- 24/7 security officer staffing.
- Access control systems such as fingerprint and biometric-based authentication.
- Cameras set in locations with a minimum of 90 days of storage.
- Multi-layered physical security with escalating access points.
- Environmental monitoring.
- Custom security controls for tenants with other special requirements.
Physical access control (e.g., who can walk into certain parts of the building) is the most immediate way colocation facilities help tenants manage industry compliance with their data center.
Take the example of the Health Insurance Portability and Accountability Act (HIPAA). Any entity that manages or accesses protected health information (PHI) must implement physical safeguards that protect, “electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.”
We can interpret this to mean that any servers in a colocation data center that store or transmit PHI must be safe from unauthorized physical access, but also from environmental hazards that may cause downtime and prevent a healthcare institution or patient from being able to access that data. Simply put, this would fall under the purview of a HIPAA-compliant colocation provider.
The same can be said for Payment Card Industry (PCI) regulations. Any location that stores or processes payment card data (including a server room or data center) is considered a high-security area (HSA) that must have its access routes, as well as any activity occurring within the room, monitored with CCTV cameras. This surveillance is just one example of a physical safeguard that a PCI-compliant colocation data center handles for tenants.
Other broad compliance frameworks that colocation data centers may adhere to include:
- Service Organization Controls 2 (SOC 2): Establishes “Trust Services Criteria” for controls pertaining to security, availability, processing integrity, confidentiality and privacy of systems.
- International Standards Organization (ISO27001): A certification that validates an information security management system (ISMS). This standard verifies that an organization systematically addresses elements of security tied to “people, processes and IT systems by applying a risk management process.”
Learn more about colocation security and compliance
The main takeaway here is that a reputable colocation data center provider delivers enterprise-grade security and accommodates most, if not all industry-specific compliance codes.
Still, Sabey Data Centers is more than happy to answer any additional questions pertaining to security and compliance you might have. Reach out to us today for additional information.